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CLAIMS 

1 . A method of at least partially authenticating a user on a communications network, the 
method comprising acts of: 
5 (A) transmitting a first communication from a first network device to a second network 

device, wherein the first communication includes a challenge; 

(B) in response to receiving the challenge, generating a preliminary hash value by 
performing only part of a hash function on a first part of the challenge, wherein the first part is 
less than the complete challenge; 
10 (C) transmitting a second communication from the second network device to the first 

network device, the second communication including the preliminary hash value; and 

(D) completing performance of the hash function on the first network device to produce a 
final hash value. 

15 2. The method of claim 1, wherein act (B) comprises: 

performing only part of a Message Digest 5-based encryption function. 

3. The method of claim 2, wherein a standard Message Digest 5 algorithm includes adding an 
appendage of information to information to be communicated to produce padded information that 

20 has a length that is a multiple of sixty-four octets, and includes inputting the padded information 
to a standard Message Digest 5 function, and wherein act (B) comprises: 

(1) generating an input sequence to the Message Digest 5-based encryption function by 
concatenating information to be communicated from the second network device to the first 
network device; and 

25 (2) inputting the input sequence into the Message Digest 5-based encryption function 

without previously adding an appendage of information to the input sequence. 

4. The method of claim 1, wherein the complete performance of the hash function involves 
performing a first number of iterations, act (B) includes performing a second number of iterations 

30 less than the first number of iterations and act (D) includes performing a third number of 

iterations equal to the first number minus the second number, resulting in a complete performance 
of the hash function. 
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5. The method of claim 1, wherein act (D) includes completing the hash function using a 
second part of the challenge, wherein the first part and the second part form the complete 
challenge. 

6. The method of claim 1, wherein act (B) includes generating the preliminary hash value 
based, at least in part, on the first part of the challenge and a user credential. 

7. The method of claim 6, wherein act (B) includes dividing the challenge into the first part 
and a second part, and the method further comprises: 

(E) configuring the second communication to include an indication of a length in bits of 
the user credential, and 

wherein act (D) includes completing the hash function based, at least in part, on the second 
part of the challenge and the length of the user credential. 

8. The method of claim 7, wherein act (D) includes: 

(1) determining a state of the hash function based, at least in part, on the length of the user 
credential; and 

(2) completing the hash function based, at least in part, on the determined state. 

9. The method of claim 7, wherein act (D) further comprises: 

(1) determining a length of the second part based, at least in part, on a length of the 
challenge and the length of the user credential; and 

(2) completing the hash function based, at least in part, on the determined length of the 
second part. 

10. The method of claim 1, further comprising an act of: 
(E) generating the challenge on the first network device, including generating a portion of 

the challenge having a length equal to a desired amount of entropy for the challenge, and 
30 appending bits to the portion of the challenge to produce the challenge. 

11. The method of claim 10, wherein act (E) includes appending sixty-three bits to the portion. 
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12. The method of claim 1, wherein the challenge includes a plurality of sequences of bits, the 
method further comprising an act of: 

(E) generating the challenge on the first network device, including configuring one or 
5 more of the plurality of sequences to include at least one non-zero bit. 

13. The method of claim 12, wherein each sequence is an octet of bits. 

14. The method of claim 1, further comprising an act of: 

10 (E) generating the challenge on the first network device, including configuring the 

challenge to include at least a minimum number of octets of bits. 

15. The method of claim 1, wherein act (B) comprises: 

(1) determining a length of a concatenation of an authentication protocol identifier, a user 
15 credential and the challenge; and 

(2) dividing the challenge into the first part and a second part based on the determined 

length. 

16. The method of claim 1, further comprising an act of: 

20 (E) authenticating the user based on the final hash value. 

17. The method of claim 1, wherein the method further comprises an act of: 

(E) transmitting a third communication including the final hash value to a third network 
device configured to authenticate the user. 

25 

18. The method of claim 1, wherein act (A) includes transmitting the first communication 
within a tunnel between the first network device and the second network device and Act (C) 
includes transmitting the second communication within the tunnel. 

30 19. A system for at least partially authenticating a user on a communications network, the 
system comprising: 
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a first communication device operative to transmit a first communication from a first 
network device to a second network device, wherein the first communication includes a 
challenge; and 

a second network device, operative to receive the challenge, generate a preliminary hash 
5 value by performing only part of a hash function on a first part of the challenge, wherein the first 
part is less than the complete challenge, and to transmit a second communication from the second 
network device to the first network device, the second communication including the preliminary 
hash value, 

wherein the first network device is operative to complete performance of the hash function 
10 to produce a final hash value. 

20. The system f claim 19, wherein the second network device is operative to perform only 
part of a Message Digest 5-based encryption function. 

15 21. The system of claim 20, wherein a standard Message Digest 5 algorithm includes adding 
an appendage of information to information to be communicated to produce padded information 
that has a length that is a multiple of sixty-four octets, and includes inputting the padded 
information to a standard Message Digest 5 function, and 

wherein the second network device is operative to generate an input sequence to the 

20 Message Digest 5-based encryption function by concatenating information to be communicated 
from the second network device to the first network device, and to input the input sequence into 
the Message Digest 5-based encryption function without previously adding an appendage of 
information to the input sequence. 

25 22. The system of claim 19, wherein the complete performance of the hash function involves 
performing a first number of iterations, and the second network device is operative to perform a 
second number of iterations less than the first number of iterations, and wherein the first network 
device is operative to perform a third number of iterations equal to the first number minus the 
second number, resulting in a complete performance of the hash function. 

30 
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23. The system of claim 19, wherein the first network device is operative to complete the hash 
function using a second part of the challenge, wherein the first part and the second part form the 
complete challenge. 

5 24. The system of claim 19, wherein the first network device is operative to generate the 
preliminary hash value based, at least in part, on the first part of the challenge and a user 
credential. 

25. The system of claim 24, wherein the second network device is operative to divide the 
10 challenge into the first part and a second part, and to configure the second communication to 
include an indication of a length in bits of the user credential, and the first network device is 
operative to complete the hash function based, at least in part, on the second part of the challenge 
and the length of the user credential. 

15 26. The system of claim 25, wherein the first network device is operative to determine a state 
of the hash function based, at least in part, on the length of the user credential, and to complete the 
hash function based, at least in part, on the determined length. 

27. The system of claim 25, wherein the first network device is operative to determine a 

20 length of the second part based, at least in part, on a length of the challenge and the length of the 
user credential, and to complete the hash function based, at least in part, on the determined length 
of the second part. 

28. The system of claim 19, wherein the first network device is operative to generate the 
25 challenge on the first network device, including generating a portion of the challenge having a 

length equal to a desired amount of entropy for the challenge, and to append bits to the portion of 
the challenge to produce the challenge. 



30 



29. The method of claim 28, wherein the first network device is operative to append sixty- 
three bits to the portion. 
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30. The system of claim 19, wherein the challenge includes a plurality of sequences of bits, 
and the first network device is operative to generate the challenge on the first network device, 
including configuring one or more of the plurality of sequences to include at least one non-zero 
bit 

5 

31. The system of claim 30, wherein each sequence is an octet of bits. 

32. The system of claim 19, wherein the first network device is operative to generate the 
challenge on the first network device, including configuring the challenge to include at least a 

10 minimum length of bits. 

33. The system of claim 19, wherein the second network device is operative to determine a 
length of a concatenation of an authentication protocol identifier, a user credential and the 
challenge, and to divide the challenge into the first part and a second part based on the determined 

15 length. 

34. The system of claim 19, wherein the first network device is operative to authenticate the 
user based on the final hash value. 

20 35. The system of claim 19, wherein the first network device is operative to transmit a third 

communication including the final hash value to a third network device configured to authenticate 
the user. 

36. The system of claim 19, wherein the first network device is operative to transmit the first 
25 communication within a tunnel between the first network device and the second network device. 

37. The system of claim 19, wherein the second communication device is operative to transmit 
the second communication with a tunnel between the first device and the second device. 

30 38. A system for at least partially authenticating a user on a communications network, the 
system comprising: 
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a first communication device operative to transmit a first communication from a first 
network device to a second network device, wherein the first communication includes a 
challenge; and 

a second network device operative to receive the challenge and transmit a second 
5 communication from the second network device to the first network device, the second 
communication including a preliminary hash value, 

wherein the second network device includes means for generating a preliminary hash 
value by performing only part of a hash function on a first part of the challenge, wherein the first 
part is less than the complete challenge, and 
10 wherein the first network device includes means for completing performance of the hash 

function to produce a final hash value. 



39. A computer-readable medium having computer-readable signals stored thereon that define 
instructions that, as a result of being executed by a computer, control the computer to perform a 
15 method of at least partially authenticating a user on a communications network, the method 
comprising: 

(A) transmitting a first communication from a first network device to a second network 
device, wherein the first communication includes a challenge; 

(B) in response to receiving the challenge, generating a preliminary hash value by 

20 performing only part of a hash function on a first part of the challenge, wherein the first part is 
less than the complete challenge; and 

(C) transmitting a second communication from the second network device to the first 
network device, the second communication including the preliminary hash value; and 

(D) completing performance of the hash function on the first network device to produce a 
25 final hash value. 



40. A method of at least partially authenticating a user on a communications network, the 
method comprising acts of: 

(A) transmitting a first communication from a first network device to a second network 
30 device, wherein the first communication includes a challenge; 

(B) receiving a second communication from the second network device to the first 
network device, the second communication including a preliminary hash value resulting from 
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performance of only part of a hash function on a first part of the challenge, wherein the first part 
is less than the complete challenge; and 

(C) completing performance of the hash function on the first network device to produce a 
final hash value. 

5 

41. The method of claim 40, wherein the preliminary hash value is a result of partial 
performance of an Message Digest 5-based encryption function on the first part of the challenge, 
and wherein act (C) comprises: 

completing the Message Digest 5-based encryption function. 

10 

42. The method of claim 40, wherein the complete performance of the hash function involves 
performing a first number of iterations, and wherein the preliminary hash value resulted from 
performance of a second number of iterations less than the first number of iterations, and 

wherein act (C) includes performing a third number of iterations equal to the first number 
15 minus the second number, resulting in a complete performance of the hash function 

43. The method of claim 40, wherein act (C) includes completing the hash function using a 
second part of the challenge, wherein the first part and the second part form the complete 
challenge. 

20 

44. The method of claim 40, wherein the challenge includes two parts: the first part and a 
second part, and the preliminary hash value is based, at least in part, on the first part of the 
challenge and a user credential, and the second communication includes an indication of a length 
in bits of the user credential, and 

25 wherein act (C) includes completing the hash function based, at least in part, on the second 

part of the challenge and the length of the user credential. 

45. The method of claim 44, wherein act (C) includes: 

(1) determining a state of the hash function based, at least in part, on the length of the user 
30 credential; and 

(2) completing the hash function based, at least in part, on the determined state. 
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46. The method of claim 44, wherein act (C) further comprises: 

(1) determining a length of the second part based, at least in part, on a length of the 
challenge and the length of the user credential; and 

(2) completing the hash function based, at least in part, on the determined length of the 
5 second part. 

47. The method of claim 40, further comprising an act of: 

(D) generating the challenge on the first network device, including generating a portion of 
the challenge having a length equal to a desired amount of entropy for the challenge, and 
10 appending bits to the portion of the challenge to produce the challenge. 

48. The method of claim 43, wherein act (D) includes appending sixty-three bits to the 
challenge. 

15 49. The method of claim 40, wherein the challenge includes a plurality of sequences of bits, 
the method further comprising an act of: 

(D) generating the challenge on the first network device, including configuring one or 
more of the plurality of sequences to include at least one non-zero bit. 

20 50. The method of claim 49, wherein each sequence is an octet of bits. 

5 1 . The method of claim 40, further comprising an act of: 

(D) generating the challenge on the first network device, including configuring the 
challenge to include at least a minimum length of bits. 

25 

52. The method of claim 40, further comprising an act of: 
(D) authenticating the user based on the final hash value. 

53. The method of claim 40, wherein the method further comprises an act of: 

30 (D) transmitting a third communication including the final hash value to a third network 

device configured to authenticate the user. 
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54. A tunnel server residing on a first network device of a communications network for at 
least partially authenticating a user on the communications network, the tunnel server comprising: 

a challenge generator to generate a challenge that is transmitted from the first network 
device to a second network device; 
5 a final hash value generator to receive a preliminary hash value from the second network 

device, the preliminary hash value resulting from performance of only part of a hash function on 
a first part of the challenge, wherein the first part is less than the complete challenge, 

wherein the final hash value generator is operative to complete performance of the hash 
function on the first network device to produce a final hash value. 

10 

55. The tunnel server of claim 54, wherein the complete performance of the hash function 
involves performing a first number of iterations, and the preliminary hash value is the result of 
performance of a second number of iterations less than the first number of iterations, and wherein 
the final hash value generator is operative to perform a third number of iterations equal to the first 

15 number minus the second number, resulting in a complete performance of the hash function. 

56. The tunnel server of claim 54, wherein the final hash value generator is operative to 
complete the hash function using a second part of the challenge, wherein the first part and the 
second part form the complete challenge. 

20 

57. The tunnel server of claim 54, wherein the challenge includes the first part and a second 
part, and the second communication includes an indication of a length in bits of a user credential, 
and 

wherein the final hash value generator is operative to complete the hash function based, at 
25 least in part, on the second part of the challenge and the length of the user credential. 

58. The tunnel server of claim 57, wherein the final hash value generator is operative to 
determine a state of the hash function based, at least in part, on the length of the user credential, 
and to for complete the hash function based, at least in part, on the determined length. 

30 

59. The tunnel server of claim 57, wherein the final hash value generator is operative to 
determine a length of the second part based, at least in part, on a length of the challenge and the 



-50- 

length of the user credential, and to complete the hash function based, at least in part, on the 
determined length of the second part. 



60. The tunnel server of claim 54, wherein the challenge generator is operative to generate the 
5 challenge, to generate a portion of the challenge having a length equal to a desired amount of 

entropy for the challenge, and to append bits to the portion of the challenge to produce the 
challenge. 

61 . The tunnel server of claim 60, wherein the challenge generator is operative to append 
10 sixty-three bits to the portion. 

62. The tunnel server of claim 54, wherein the challenge includes a plurality of sequences of 
bits, and the challenge generator is operative to generate the challenge, and to configure one or 
more of the plurality of sequences to include at least one non-zero bit. 

15 

63. The tunnel server of claim 62, wherein each sequence is an octet of bits. 

64. The tunnel server of claim 54, wherein the challenge generator is operative to generate the 
challenge, including configuring the challenge to include at least a minimum length of bits. 

20 

65. The tunnel server of claim 54, wherein the tunnel server is operative to authenticate the 
user based on the final hash value. 

66. The tunnel server of claim 54, wherein the tunnel server is operative to control 

25 transmission of a third communication including the final hash value to a third network device 
configured to authenticate the user. 

67. The tunnel server of claim 54, wherein the tunnel server is operative to control 
transmission of the first communication within a tunnel between the first network device and the 

30 second network device. 
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68. A tunnel server residing on a first network device of a communications network for at 
least partially authenticating a user on the communications network, the tunnel server comprising: 

a challenge generator to generate a challenge that is transmitted from the first network 
device to a second network device, wherein the tunnel server is operative to receive a preliminary 
5 hash value from the second network device, the preliminary hash value resulting from 

performance of only part of a hash function on a first part of the challenge, wherein the first part 
is less than the complete challenge; and 

means for completing performance of the hash function on the first network device to 
produce a final hash value. 

10 

69. A computer-readable medium having computer-readable signals stored thereon that define 
instructions that, as a result of being executed by a computer, control the computer to perform a 
method of at least partially authenticating a user on a communications network, the method 
comprising acts of: 

15 (A) transmitting a first communication from a first network device to a second network 

device, wherein the first communication includes a challenge; 

(B) receiving a second communication from the second network device to the first 
network device, the second communication including a preliminary hash value generated by 
performing only part of a hash function on a first part of the challenge, wherein the first part is 

20 less than the complete challenge; and 

(C) completing performance of the hash function on the first network device to produce a 
final hash value. 

70. A method of at least partially authenticating a user on a communications network in 
25 response to a challenge received at a second network device from a first network device, the 

method comprising acts of: 

(A) generating a preliminary hash value by performing only part of a hash function on a 
first part of the challenge wherein the first part is less than the complete challenge; and 

(B) transmitting a communication from the second network device to the first network 
30 device, the communication including the preliminary hash value. 

71. The method of claim 70, wherein act (A) comprises: 
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performing only part of a Message Digest 5-based encryption function. 



72. The method of claim 71, wherein a standard Message Digest 5 algorithm includes adding 
an appendage of information to information to be communicated to produce padded information 

5 that has a length that is a multiple of sixty-four octets, and includes inputting the padded 
information to a standard Message Digest 5 function, and wherein act (A) comprises: 

(1) generating an input sequence to the Message Digest 5-based encryption function by 
concatenating information to be communicated from the second network device to the first 
network device; and 

10 (2) inputting the input sequence into the Message Digest 5-based encryption function 

without previously adding an appendage of information to the input sequence. 

73. The method of claim 70, wherein the complete performance of the hash function involves 
performing a first number of iterations, and act (A) includes performing a second number of 

1 5 iterations less than the first number of iterations. 

74. The method of claim 70, wherein act (A) includes generating the preliminary hash value 
based, at least in part, on the first part of the challenge and a user credential. 

20 75. The method of claim 74, wherein act (A) includes dividing the challenge into the first part 
and a second part, and the method further comprises: 

(E) configuring the communication to include an indication of a length in bits of the user 
credential. 

25 76. The method of claim 70, wherein act (A) comprises: 

(1) determining a length of a concatenation of an authentication protocol identifier, a user 
credential and the challenge; and 

(2) dividing the challenge into the first part and a second part based on the determined 

length. 

30 

77. The method of claim 70, wherein act (A) includes transmitting the first communication 
within a tunnel between the first network device and the second network device.. 
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78. A client residing on a second network device of a communications network, for at least 
partially authenticating a user in response to a challenge received on the second network device 
from a first network device, the client comprising: 

5 a preliminary hash generator to generate a preliminary hash value by performing only part 

of a hash function on a first part of the challenge, wherein the first part is less than the complete 
challenge, 

wherein the second network device is operative to transmit a communication from the 
second network device to the first network device, the communication including the preliminary 
10 hash value. 

79. The client of claim 78, wherein the preliminary hash generator is operative to perform 
only part of a Message Digest 5-based encryption function. 

15 80. The client of claim 79, wherein a standard Message Digest 5 algorithm includes adding an 
appendage of information to information to be communicated to produce padded information that 
has a length that is a multiple of sixty-four octets, and includes inputting the padded information 
to a standard Message Digest 5 function, and 

wherein the preliminary hash generator is operative to generate an input sequence to the 

20 Message Digest 5-based encryption function by concatenating information to be communicated 
from the second network device to the first network device, and to input the input sequence into 
the Message Digest 5-based encryption function without previously adding an appendage of 
information to the input sequence. 

25 81 . The client of claim 78, wherein the complete performance of the hash function involves 
performing a first number of iterations, and 

wherein the preliminary hash generator is operative to perform a second number of 
iterations less than the first number of iterations. 

30 82. The client of claim 78, wherein the preliminary hash generator is operative to generate the 
preliminary hash value based, at least in part, on the first part of the challenge and a user 
credential. 



-54- 



83. The client of claim 82, wherein the preliminary hash generator is operative to divide the 
challenge into the first part and a second part, and to configure the communication to include an 
indication of a length in bits of the user credential 

5 

84. The client of claim 78, wherein the preliminary hash generator is operative to determine a 
length of a concatenation of an authentication protocol identifier, a user credential and the 
challenge, and to divide the challenge into the first part and a second part based on the determined 
length. 

10 

85. The client of claim 78, wherein the client is operative to control transmission of the first 
communication within a tunnel between the first network device and the second network device. 

86. A client residing on a second network device of a communications network, for at least 
15 partially authenticating a user in response to a challenge received on the second network device 

from a first network device, the client comprising: 

means for generating a preliminary hash value by performing only part of a hash function 
on a first part of the challenge, wherein the first part is less than the complete challenge, 

wherein the second network device is operative to transmit a communication from the 
20 second network device to the first network device, the communication including the preliminary 
hash value. 

87. A computer-readable medium having computer-readable signals stored thereon that define 
instructions that, as a result of being executed by a computer, control the computer to perform a 

25 method of at least partially authenticating a user on a communications network in response to a 

challenge received at a second network device from a first network device, the method comprising 
acts of: 

(A) generating a preliminary hash value by performing only part of a hash function on a 
first part of the challenge wherein the first part is less than the complete challenge; and 
30 (B) transmitting a communication from the second network device to the first network 

device, the second communication including the preliminary hash value. 



